View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0033017||mantisbt||documentation||public||2023-10-15 06:51||2023-10-31 16:32|
|Target Version||2.26.0||Fixed in Version||2.26.0|
|Summary||0033017: Mantis version visible in REST API request headers even when $g_show_version is OFF|
The REST API always returns the MantisBT version in the
Originally discussed in 0032980:0068159
|Tags||No tags attached.|
Transcript from internal discussion on the subject
Tue, Oct 3, 2023, 10:31:02 - dregad:
Wed, Oct 4, 2023, 02:46:05 - vboctor (Victor Boctor):
Wed, Oct 4, 2023, 09:15:35 - dregad:
I agree it's just security through obscurity that does not achieve anything in terms of hardening a system, but regardless I think this is a decision that should be left to the admin, especially considering that this information is transmitted even if anonymous access is disabled and without the need for an API token
Wed, Oct 4, 2023, 09:55:46 - vboctor (Victor Boctor):
Based on this discussion, this issue is basically a won't fix.
I'll commit a documentation change to make it clear that version can always be retrieved via REST API if enabled.
Changing category to documentation
Hi all, please note that the version is displayed also if the API are NOT enabled.
curl -kis http://localhost/mantisbt/api/rest/
It allows an unauthenticated user to identify the exact version (fingerprinting), no matter if API are enabled or not (in my installation are disabled).
This is wrong. I'll look into it (see 0033019).